Professional Documents
Culture Documents
If your business relies on information technology (IT) systems such as computers and
networks for key business activities you need to be aware of the range and nature of risks to
those systems.
General IT threats
General threats to IT systems and data include:
Read more about email scams, viruses, hackers, and other IT threats.
Criminal IT threats
Specific or targeted criminal threats to IT systems and data include:
Related links
wired
In computing terminology, the term "wired" is used to differentiate
between wireless CONNECTIONS and those that involve cables. While wireless
devices COMMUNICATE over the air, a wired setup uses physical cables to
transfer data between different devices and computer systems.
A wired network is a common type of wired configuration. Most wired networks
use Ethernet cables to transfer data between connected PCs. In a small wired
network, a single router may be used to CONNECT all the computers. Larger
networks often involve multiple routers or switches that connect to each other.
One of these devices typically CONNECTS to a cable modem, T1 line, or other
type of Internet CONNECTION that provides Internet access to all devices
connected to the network.
Wired
may
refer
to peripheral devices
as
well.
Since
many keyboards and mice are now wireless, "wired" is often used to
describe input
devices that
connect
to
a USB port.
Peripherals
such
asmonitors and external hard drives also use cables, but they are rarely called
wired devices since wireless options are generally not available.
While many peripherals are now wireless, some users still prefer wired devices,
since they have a few benefits over their wireless counterparts. For example, an
Ethernet CONNECTION is not prone to signal interference that can slow
down Wi-Fi connections. Additionally, wired network connections are generally
faster than wireless ones, which allows for faster data transfer rates. Some users
also prefer wired peripherals since their is no need to replace batteries on a
regular basis. Gamers especially prefer wireless keyboards and mice since they
have lower latency and can be backlit, thanks to the power provided by the USB
connection.
wireless
In the computing world, the term "wireless" can be rather ambiguous, since it
may refer to several different wireless technologies. The two most common types
of wireless capabilities computers have are Wi-Fi and Bluetooth.
Wi-Fi is the technology used for wireless networking. If YOUR COMPUTER has a
wireless card, it is most likely Wi-Fi compatible. The wireless card transmits to a
wireless router, which is also based on the Wi-Fi standard. Wireless routers are
often CONNECTED to a network, cable modem, or DSL modem, which provides
Internet access to anyone connected to the wireless network.
Bluetooth is the technology often used for wireless keyboards and mice,
wireless printing, and wireless cell phone headsets. In order to use a device such
as a Bluetooth keyboard or mouse, your computer must be Bluetooth-enabled or
have a Bluetooth adapter INSTALLED .
Computers may also use other wireless technologies aside from Wi-Fi and
Bluetooth. Products such as remote controls and wireless mice may use infrared
or other proprietary wireless technologies. Because of the many wireless options
available, it is a good idea to check the system requirements of any wireless
device you are considering buying.
Bluetooth protocol
OSI protocols family of information exchange standards developed jointly by the ISO and
the ITU-T
Routing protocols
List of IP protocol numbers, protocol numbers used in the Protocol field of the IPv4
header and the Next Header field of IPv6 header
Security protocols protect a computer from attacks. To understand how security protocols work,
you must first understand what types of attacks they protect against. Networks and data are
vulnerable to both active attacks, in which information is altered or destroyed, and passive attacks,
in which information is monitored. Attacks that you might encounter include the following:
Altering data
This active attack takes place when data is interrupted in transit and modified before it reaches its
destination, or when stored data is altered. This passive attack takes advantage of network traffic
that is transmitted across the wire in clear text. The attacker simply uses a device that monitors
traffic and "listens in" to discover information. You'll hear this term referred to as sniffing the wire,
and sometimes as snooping.
IP address spoofing
One way to authenticate data is to check the IP address in data packets. If the IP address is valid,
that data is allowed to pass into the private network. IP address spoofing is the process of
changing the IP address so that data packets will be accepted. IP address spoofing can be used to
modify or delete data, or to perpetuate an additional type of attack.
Password pilfering
A hacker will obtain user IDs and passwords, or even encryption keys, to gain access to network
data, which can then be altered, deleted, or even used to create another attack. This type of attack
is usually done by asking unsuspecting users, reading sticky notes containing passwords that are
posted next to computers, or sniffing the wire for password information. Sometimes a hacker will
attempt to get HIRED at a company merely to obtain an ID and password with access rights to
the network.
Denial of service
This active attack is intended to cause full or partial network outages so that people will not be able
to use network resources and productivity will be affected. The attacker floods so many packets
through the network or through specific resources that other users can't access those resources.
The denial-of-service attack can also serve as a diversion while the hacker alters information or
damages systems.
Virus
3 Passwords
3.1 Appropriate usernames and passwords will be issued to all users. These will
allow general access to IT facilities as well as individual access to specific corporate
systems where required.
3.2 Each user has individual responsibility for the security of their password and it is
forbidden to give a password to another person. Systems staff will never ask an
individual to reveal their password.
3.3 Should the security of a password be compromised it is the responsibility of the
individual user to change it and to establish that no breach of confidentiality has
occurred. If there is a suspected breach of confidentiality this is to be reported
immediately to the Help Desk.
3.4 Passwords chosen must be of sufficient complexity such that they are not easy
for another person to deduce. In particular, for example, individuals should avoid
choosing passwords that feature their name, partner's name, car registration, pet or
anything that might be guessed or obtained by a third party.
3.5 Where technically possible, all information systems will enforce the following:
The minimum password length is six characters.
Passwords must be complex, that is consist of character(s) from at least THREE of
the following four sets:
- Lowercase letters [az]
- Uppercase letters [AZ]
-Digits [09]
-Special characters [`!$%^&*()-_=+[]{};#:@~\|,./<>?]
Passwords will expire from time to time and at intervals less than 181 days.
Previously used passwords cannot be re-used.
Three logon attempts with incorrect passwords within 24 hours will lock
an ACCOUNT .
Locked ACCOUNTS will remain locked until either:
a) reset by the Help Desk. The Help Desk will require adequate proof of identity
prior to unlocking an ACCOUNT
b) unlocked by the user via a secure self service system
c) or after 24 hours the ACCOUNT will automatically unlock
3.6 If it is necessary to record a password it must be kept securely, disguised in
some form.
3.7 In all cases, whether forced or not, passwords must be changed regularly at
least every 6 months.
3.8 In order to maintain user ACCOUNT security certain restrictions are in place to
help prevent unauthorised access.
3.9 Some special non-user logon accounts may not have a password, for example
projector accounts, but these will be secured by other means, such as restricting
their access and ability.
4 Training
4.1 All staff, students and associates will be offered appropriate training in the use of
relevant IT facilities. All users must take individual responsibility for ensuring they are
able to use correctly any information system to which they have been given access.
4.2 The University reserves the right to withdraw access to any system if an
individual places the security of the Universitys systems or information at significant
risk.
5 Information Security Officer
5.1 The University shall designate an individual as Information Security Officer, who
shall be responsibility for ensuring appropriate procedures, systems and guidelines
are in place and implemented. Oversight of Information Security lies with the
Information Systems Committee, and the Designated Authority as defined in the
AUP.
6 Data Ownership
6.1 The Vice Chancellor has overall ownership of all University information, but
delegates this responsibility to specific individuals (information owners) responsible
for identifying the use of that information. Individuals who create information will
normally be deemed the owner of their own information or information that they have
acquired. For information that applies to the corporate work of the University, this
owner will normally be a manager.
6.2 All information held on university systems, including that held on n:\ drives and in
email is owned by the University. All members of staff will have agreed to this when
accepting employment at the University. Where there are concerns relating to
intellectual property rights the individual must ensure the issue is specifically
addressed in the employment contract.
7 Personal use
7.1 While the University does not provide data storage for personal use, it is
accepted that limited personal use is allowed, as detailed in the AUP. However,
University systems (including email), should not be generally used to store personal
information.
7.2 Any personal information stored on your n:\ drive or in email is done so at the
individuals risk. This data remains the property of the University. All data is regularly
backed up and retained for at least one year, in order to protect the University from
business loss in the event of systems failure.
8 Confidentiality
8.1 All corporate information should be kept confidential with computer screens
password protected and away from public view.
8.2 Individuals must always log out of a user session (or use the CTRL, ALT &
DELETE keys to lock the screen when leaving a work station) and never leave a
machine with a live connection to an information system.
8.3 Certain information is particularly confidential (e.g. exam scripts, marks, personal
and medical data), and particular care must be taken with these . All users must be
14.1 The implementation of new or upgraded software must be carefully planned and
managed, to ensure that increased information security risks associated with any
changes are mitigated.
14.2 There will be formal change control procedures, with audit trails for all changes
to systems.
15 Access
15.1 Access to all information services shall use a secure logon process and access
to high value systems may have further limitations as appropriate. Access will always
be role/need and not by seniority of post.
15.2 Access controls shall be maintained at appropriate levels for all systems by
ongoing proactive management and any changes of access permissions must be
authorised by the manager of the system or application. A record of access
permissions granted must be maintained.
15.3 Access to IT systems is to be logged and monitored to identify potential misuse
of systems or information.
16 Privileged Access
16.1 Certain members of staff will have elevated permissions on some or all
systems. Some of these permissions are only granted when required but others will
be granted implicitly by membership of certain domain groups.
16.2 A full charter expanding on these responsibilities is contained as Appendix A to
this document.
16.3 With these elevated privileges comes increased responsibility, and all staff with
elevated permissions will undergo training in their responsibilities. Abuse of
privileged status will be regarded as a serious disciplinary matter.
16.4 If these staff leave the University, or are no longer a member of one of more of
the membership groups, either through secondment or a permanent change in job
role, these permissions will be revoked.
16.5 The University will regularly audit the status of all members of staff
and ACCOUNTS with increased privilege and confirm that this is still required and
at the correct level.
17 Clocks
17.1 All System clocks will be regularly synchronised to the same time signal via
automated processes such as NTP.
18 Capacity
18.1 Capacity demands of corporate systems shall be monitored, and actions taken
to ensure increased demands are met. Users must be aware that disk storage and
capacity is limited, and take reasonable care not to overload any system.
18.2 Any known or planned requirements for large amounts of storage or processing
power must be notified to and agreed by the AUP Designated Authority well in
advance.
19 Business Continuity
19.1 All corporate information systems and IT facilities will have a defined disaster
recovery process in place. Systems designated as critical will have some level of
resilience as long as this is technically possible and cost effective.
19.2 Responsibility for planning for being able to continue to operate without any IT
facility is the responsibility of individual Heads of Departments. Full details are in the
Business Continuity and Disaster Recovery Policy.
20 New information systems
20.1 The procurement or development of all new information systems must be
discussed with the either the Head of Computing Services or Head of Corporate
Information Services and approved by the Information Projects Programme Board.
20.2 Before introducing any new corporate data system, a risk assessment will
include an assessment of any legal obligations that may potentially arise from the
use of the system. The Head of Corporate Information Service oversees this risk
assessment.
21 Misuse
21.1 If any member of the University knows of or suspects any misuse of IT facilities,
they must report it either to their Head of Department or, if this is not appropriate, to
the Head of Computing Services.
21.2 If the suspected misuse is by the Head of Computing Services, the matter must
be reported to the Chair of the Information Services Committee or the Vice
Chancellor.
21.3 In the case of reported or suspected misuse of computers or breach of the AUP
by a student, then whatever the degree of reported or suspected misuse, the first
response will be to disable the user's network and/or email account immediately. The
purpose of this is to prevent any further misuse. At this time, the student's account
history file will be checked to see if there is any record of a previous offence.
21.4 In accordance with the Universitys Student Disciplinary Procedures, Computing
Services will in all cases refer the matter immediately to the students Head of
Department, with the relevant details. The Head of Department may meet with the
Head of Computing Services or nominee to discuss the incident
21.5 As stated in the AUP, a breach of regulations may result in access to IT facilities
being withdrawn, regardless of academic consequences.
21.6 In the case of reported or suspected misuse of computers or breach of the AUP
by a member of University staff, the University Staff Disciplinary Procedures will be
followed. Access to computing services may be withdrawn if appropriate.
21.7 In the case of reported or suspected misuse of computing services or breach of
the AUP by guests or associates, computing access may be withdrawn pending
investigation, and further action may include reporting the matter to the visitor's host
department and/or home institution if appropriate.
Many administrators also play a part in monitoring compliance with policies which
apply to the systems. For example some organisations may prohibit the sending or
viewing of particular types of material; or may restrict access to certain external sites,
or ban certain services from local systems or networks. The JANET Acceptable Use
Policy prohibits certain uses of the network. In all of these cases the administrator is
acting in support of policies, rather than protecting the operation of the system.
The law differentiates between operational and policy actions, for example in section
3(3) of the Regulation of Investigatory Powers Act 2000, so the administrator should
be clear, before undertaking any action, whether it is required as part of their
operational or policy role. The two types of activity are dealt with separately in the
following sections.
Operational activities
Where necessary to ensure the proper operation of networks or computer systems
for which they are responsible, authorised administrators may:
monitor and record traffic on those networks or display it in an appropriate form;
examine any relevant files on those computers;
rename any relevant files on those computers or change their access permissions
create relevant new files on those computers.
Where the content of a file or communication appears to have been deliberately
protected by the owner, for example by encrypting it, the administrator must not
attempt to make the content readable without specific authorisation from the
Designated Authority or the owner of the file.
The administrator must ensure that these activities do not result in the loss or
destruction of information. If a change is made to user filestore then the affected
user(s) must be informed of the change and the reason for it as soon as possible
after the event.
Policy activities
Administrators must not act to monitor or enforce policy unless they are sure that all
reasonable efforts have been made to inform users both that such monitoring will be
carried out and the policies to which it will apply. If this has not been done through a
general notice to all users then before a file is examined, or a network
communication monitored, individual permission must be obtained from all the
owner(s) of files or all the parties involved in a network communication.
Provided administrators are satisfied that either a general notice has been given or
specific permission granted, they may act as follows to support or enforce policy on
computers and networks for which they are responsible:
monitor and record traffic on those networks or display it in an appropriate form;
examine any relevant files on those computers;
rename any relevant files on those computers or change their access permissions
or ownership (see Modification of Data below);
create relevant new files on those computers.
Where the content of a file or communication appears to have been deliberately
protected by the owner, for example by encrypting it or by marking it as personal, the
administrator must not examine or attempt to make the content readable without
specific authorisation from the Designated Authority or the owner of the file.
The administrator must ensure that these activities do not result in the loss or
destruction of information. If a change is made to user filestore then the affected
user(s) must be informed of the change and the reason for it as soon as possible
after the event.
A.4. Disclosure of information
System and network administrators are required to respect the secrecy of files and
correspondence.
During the course of their activities, administrators are likely to become aware of
information which is held by, or concerns, other users. Any information obtained must
be treated as confidential - it must neither be acted upon, nor disclosed to any other
person unless this is required as part of a specific investigation:
Information relating to the current investigation may be passed to managers or
others involved in the investigation;
Information that does not relate to the current investigation must only be disclosed
if it is thought to indicate an operational problem, or a breach of local policy or the
law, and then only to the Designated Authority (or, if this is not appropriate, to a
senior manager of the organisation) for them to decide whether further investigation
is necessary.
Administrators must be aware of the need to protect the privacy of personal data and
sensitive personal data (within the meaning of the Data Protection Act 1998) that is
stored on their systems. Such data may become known to authorised administrators
during the course of their investigations. Particularly where this affects sensitive
personal data, any unexpected disclosure should be reported to the relevant data
controller.
A.5. Intentional Modification of Data
For both operational and policy reasons, it may be necessary for administrators to
make changes to user files on computers for which they are responsible. Wherever
possible this should be done in such a way that the information in the files is
preserved:
rename or move files, if necessary to a secure off-line archive, rather than deleting
them;
instead of editing a file, move it to a different location and create a new file in its
place;